Insurers working to fill cyberinsurance data gaps

Maria Korolov |
Aug. 4, 2016

Insurers are starting to expand their services to better educate their customers about cyber risk and even help them defend against attacks before they happen and deal with the fallout of when a breach does occur

"Almost half -- 45 percent -- of firms are clueless as to whether their cyberinsurance policy is up to date for covering these types of threats," Malone said.

Measuring risk

When it comes to buying insurance, it's all about the risk. Does the customer smoke? Are they a safe driver? Are there smoke alarms in their house?

With cyberinsurance, however, neither the insurance companies nor the enterprises buying coverage have a good way of quantifying risk.

As a result, prices can vary greatly, said Advisen's Bradford. For example, similar coverage from competing insurers can range from $10,000 to $50,000, he said.

"The models just don't exist like they do in the automobile or life insurance industry," said Casey Corcoran, vice president at FourV Systems. "The empirical data just doesn't exist yet for insurance companies to have a robust answer for what is the liability, what is the amount I need to ensure for. And we're in a time now where IT information is increasing at an exponential rate. How do you adapt a model to something that's changing exponentially, especially in an industry that's used to writing policies for a year at a time, or longer?"

FourV is one of many vendors attempting to help insurance companies and their customers measure cyber risks -- not just once, when the policy is first written, but on an ongoing basis.

It's like the way that Progressive offers a discount of up to 30 percent to drivers who install the company's "Snapshot" gadget in their cars, he said.

Some insurers, for example, are looking to move beyond just selling policies to offer complete risk-related services, he said. They'll help companies evaluate their risks before they sell the policies, and then help them deal with breaches that may occur.

Helping companies with their cybersecurity doesn't just help insurers better measure customers' risk, but it also provides a better understanding of risk to the enterprises they service, he said. "If I'm talking to the CISO, they're used to answering the question 'Are we secure?' with 'It's a tough job, but I got it.' When pressed, the information security organization will generally answer with technical jargon."

What can cyberinsurance cover?

Forensic investigation costs

Computer and data loss replacement or restoration costs

Increased operational costs

Physical damage resulting from attacks on industrial control systems

Lost business opportunities

Public relations expenses and reputation management services

Notification costs and credit monitoring for data breach victims

Electronic theft and fraud protection

Cyber extortion and ransomware

Legal costs from defending against lawsuits by partners or customers

Penalties and losses incurred due to inability to meet contractual obligations

Expenses and fines related to regulatory and law enforcement investigations